Despite outcry over massive data breaches, little has changed

CYBERSLEUTH

Despite outcry over well-publicized, massive data breaches over the past few years, little has changed. Some states have enacted legislation that enables consumers to sue more readily to disclosures of their personal information. But why is the onus placed on the consumer, whose data is collected and stored often unwittingly and unwillingly, to seek restitution?

Wouldn't it be great if there were a way to encourage companies to improve sloppy security practices before a breach occurs? One of the problems in recent data breaches has been that the companies seldom suffer any long-term effects from the breach after the initial negative publicity dies down. Executives don't go to jail. Stock prices rebound.

Moody's, one of the world's largest credit rating agencies, may be headed in the right direction. It announced last year that it will begin factoring vulnerability to cyberattacks into its analysis of a corporation's creditworthiness. While a date has not been announced for these new credit reports to be released, Moody Investor's Service, a division of the credit rating company, has kicked off the effort by researching market sectors most vulnerable to cyberattacks. The finding, not surprisingly, is that banks, securities firms, financial market infrastructure providers, and hospitals top the list as market sectors most at risk for cyberattacks.

The Moody's report found that these four sectors are at greatest risk because they are highly reliant on computers and communications systems for distribution of content or customer engagement. A successful cyberattack could be ruinous, crippling operations and disclosing highly sensitive consumer data. These four sectors collectively hold $11.7 trillion in debt, a meaningful chunk of the estimated $224 trillion total global corporate debt. Moody's identified another 20 industry sectors as "medium risk," for cyberattack, including electric utilities, telecommunications, health insurance, pharmaceuticals and airports. These market sectors hold an additional $12 trillion in debt.

A major cyberattack could severely disrupt operations in these 24 market sectors, causing customers to leave, lawyers to sue, regulators to scrutinize and corporate reputation to tank -- all of which could cause losses that could leave the corporation attacked to be unable to meet its debt obligations. Hence Moody's decision to begin factoring in such threats to its analysis of creditworthiness.

It can't come too soon. Even in the face of the Equifax breach in 2017, one of the largest and completely preventable data breaches in history, little happened. Stock prices have rebounded, Equifax has retained most contracts and Moody's did not downgrade the credit rating for Equifax, according to the Washington Post. Recall that the hack on Equifax's databases led to the exposure of 145.5 million U.S. consumers' credit files. Data disclosed included individuals' names, credit card numbers, Social Security numbers, birth dates, addresses, and driver's license numbers.

Last year, near the one-year anniversary of the Equifax breach, the General Accounting Office issued a report confirming that Equifax did just about everything wrong. GAO-18-559 - Data Protection Report. Hackers were able to access a user web portal through which consumers could lodge disputes by exploiting a known software security problem. Although a known patch existed for the software vulnerability, information was not sent to the correct personnel at Equifax because the distribution list was out of date. The illegal downloads of consumer data were not detected because the tool that was supposed to audit network traffic for evidence of malicious activity had expired -- 10 months earlier. Making matters worse, Wired magazine reported at the time that the user portal used the absurdly amateurish credentials of "admin/admin". (The GAO report didn't mention this.)

Equifax did not have segmenting of network resources to limit a hacker's universal access to all records. Once the hackers gained access through the apparently unprotected user portal, they issued queries to other databases searching and found unencrypted usernames and passwords. Armed with these convenient tools, the hackers were able to expand their access beyond the three databases associated with the online user portal to 48 unrelated databases where they found unencrypted consumer data. Equifax also lacked controls on the frequency of database queries, which allowed the hackers to execute approximately 9,000 such database queries searching for information, a number many times greater than would be expected for normal operations. The hackers operated for 76 days before being discovered.

As part of Equifax's effort to assist affected consumers, Equifax set up a dedicated website to help individuals determine if their information might have been stolen in the breach. The website was a failure. It kept crashing and had inaccurate data

It would seem it couldn't be any worse. Yet despite the almost comical efforts by Equifax during and after the breach, Moody's didn't lower Equifax's credit rating?

The Equifax hack is especially troubling because consumers don't give their information to credit bureaus directly, or willingly. These bureaus compile information from numerous sources, including banks and merchants with whom a consumer does business (which exchange information on customers return for receiving credit scores from the bureaus). There is no privity between the consumer and bureau, and therefore, no way for a consumer to avoid "doing business" with a credit bureau or to opt out of providing personal information, regardless of whether the bureau is completely inept at protecting that data.

Equifax reports that it undertook remedial efforts to correct its security problems, but the GAO notes it did not independently verify this claim. The Federal Trade Commission, which has regulatory oversight of credit bureaus is supposedly looking into the Equifax breach, but no action appears to be forthcoming. Calls for legislative fixes to reign in credit bureaus' almost unfettered power over consumers have sputtered. Possibly the only way to coerce real reform is to hit Equifax (if it hasn't truly corrected the problem) or the next Equifax in the pocketbook by revising its credit rating to reflect its sub-par performance at protecting its core asset, consumer data.